Addressing cybersecurity skill shortages, innovators explore unconventional strategies
In the face of a chronic workforce gap in the cybersecurity industry, organizations are adapting their hiring strategies to find, recruit, and hire candidates more effectively. According to Brennan Baybeck, SVP and CISO for customer success services at Oracle and ISACA vice-chair, this may involve prioritizing candidates with certifications, subject matter expertise, or non-traditional credentials [1].
The cybersecurity workforce shortage is a pressing issue, with an estimated 4.7 million unfilled jobs globally and 750,000 in the U.S. alone [2]. To address this shortfall, employers are shifting their focus from formal degrees and years of experience towards proven technical skills and relevant certifications. Certifications such as CISSP, OSCP, CCSP, and AWS Certified Security–Speciality are highly valued and often correlate with higher salaries and executive opportunities [2].
One way organizations are addressing the entry-level gap is by hiring candidates with certifications or non-traditional training, such as bootcamps. This approach helps introduce capable early-career talent into the cybersecurity workforce, which is currently lacking entry-level professionals in over 30% of organizations [1].
Moreover, the need for workforce development is immense due to critical skills shortages. By hiring individuals who can demonstrate specific competencies through certifications or specialized experiences, organizations can better handle evolving threats and fill the gap left by the 4 million cybersecurity professionals needed worldwide according to ISACA's State of Cybersecurity 2023 report [3].
The benefits of certification-based hiring are numerous. Certified professionals earn 10-30% more on average, encouraging career investment and retention [2]. Additionally, certifications cover emerging areas like cloud security, AI threat defense, and operational technology security, enhancing team capability and aligning them with current threat landscapes [2].
Organizations also stand to benefit from a cost-efficiency perspective, as mitigating risks of costly breaches becomes more important. By ensuring staff possess validated expertise, organizations can avoid the risks associated with less-proven hiring criteria [5].
In an AI-driven world, there will be an increased demand for skills related to the safe and ethical use of AI within organizations and risk management. As a result, more organizations are considering hiring people with subject matter expertise, certifications, or other credentials instead of or in addition to college degrees [4].
Baybeck believes that this collaborative approach can target areas with the most pronounced skills gaps, such as cloud computing, security controls, coding skills, and DevOps. Partnerships between business and government agencies for training people in cybersecurity are also emerging [1].
Oracle is supporting government initiatives in Singapore and provides a range of free training and certification programs. Hyperscalers are offering free training and certifications as well, further helping to bridge the skills gap [1].
Organizations are recognizing different ways for candidates to prove their knowledge and skills, including hiring less experienced people and training existing non-security staff. To broaden the field of candidates and improve diversity, organizations may need to step back from prioritizing specific experience and instead look at the competencies required for a task [4].
The shift in cybersecurity is moving from an offensive approach to a more defensive position around risk management. This change is reflected in the demand for soft skills, including communication, as highlighted in the ISACA report and the latest ISC2 Cybersecurity Workforce Study [6]. Clar Rosso, CEO of ISC2, does not see AI displacing the workforce but rather changing the types of jobs people do, emphasizing non-technical competencies [6].
In summary, organizations are strategically leveraging certifications and non-traditional credentials as reliable indicators of candidate skill to navigate the acute cybersecurity talent shortage—yielding benefits such as improved security posture, increased workforce readiness, and better alignment with evolving threat environments [1][2][3].
References: [1] Baybeck, B. (2023). Navigating the Cybersecurity Talent Shortage. Retrieved from https://www.oracle.com/corporate/features/navigating-the-cybersecurity-talent-shortage-6876909.html
[2] Cybersecurity Ventures. (2020). Cybersecurity Jobs Report 2020. Retrieved from https://cybersecurityventures.com/cybersecurity-jobs-report/
[3] ISACA. (2023). State of Cybersecurity 2023. Retrieved from https://www.isaca.org/resources/research/state-of-cybersecurity
[4] Rosso, C. (2023). The Future of Cybersecurity Workforce. Retrieved from https://www.isc2.org/-/media/files/resources/whitepapers/2022/the-future-of-cybersecurity-workforce.pdf
[5] (n.d.) The Benefits of Certification-Based Hiring. Retrieved from https://www.isc2.org/-/media/files/resources/whitepapers/2020/the-benefits-of-certification-based-hiring.pdf
[6] (n.d.) The Demand for Soft Skills in Cybersecurity. Retrieved from https://www.isc2.org/-/media/files/resources/whitepapers/2021/the-demand-for-soft-skills-in-cybersecurity.pdf
- As the cybersecurity industry grapples with a chronic workforce shortage, organizations are prioritizing risk management by focusing on certifications, such as CISSP or AWS Certified Security–Speciality, to hire candidates with proven technical skills and relevant expertise.
- To cope with critical skills shortages, employers are exploring partnerships with government agencies for training people in cybersecurity, emphasizing the importance of certifications and subject matter expertise in addressing privacy concerns and adapting to emerging areas like AI threat defense and operational technology security.
